Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

Abstract: A system and computer-implemented method for routing an encrypted packet through a cloud enforcement network based on a metadata tag. The cloud enforcement network applies policy and routing attributions or tags outside of the encrypted packet payload in such a way as to not require an inner packet to first be decrypted. Traffic prioritization, data protection, and per application policies are achieved by using such metadata tags for internode routing without the need for DPI or decryption. Furthermore, the metadata itself can also be signed or encrypted depending on the provenance of the data. As such, applying meta-tagging external to an encrypted packet, the payload would not be needed to be decrypted during transit of the packet to express end-to-end policy and routing decisions.

Abstract: Systems and methods are provided for receiving information associated with a final single sign-on page from a native browser, extracting a public key from the information associated with the final single sign-on page, generating a single sign-on token to bind a browser session and a native application session, associating the single sign-on token with the public key extracted from the information associated with the final single sign-on page, and encrypting the single sign-on token with the public key to bind the browser session and the native application session.

Abstract: Techniques for using computer networking protocol extensions to route control-plane traffic and data-plane traffic associated with a common application are described herein. For instance, a traffic flow associated with an application may be established such that control-plane traffic is sent to a control-plane node associated with the application and data-plane traffic is sent to a data-plane node associated with the application. When a client device sends an authentication request to connect to the application, the control-plane node may send an indication of a hostname to be used by the client device to send data-plane traffic to the data-node. As such, when a packet including the hostname corresponding with the data-plane node is received, the packet may be forwarded to the data-plane node.

Abstract: A method of defining priority of a number of data packets within a queue includes generating a policy. The policy defines a first multiplexed channel of a plurality of multiplexed channels. The first multiplexed channel having a first priority. The policy also defines a second multiplexed channel of the plurality of multiplexed channels. The second multiplexed channel having a second priority. The first priority is defined as being of a higher priority relative to the second priority. The method further includes receiving the number of data packets over the plurality of multiplexed channels associated with a session based at least in part on the policy.

Abstract: Techniques are provided for transmitting data securely across virtual private network (VPN) connections. A first VPN connection is initiated between a first device and a second device. The second device selects a first communication protocol to be used for the first VPN connection with the first device. The first device generates session identification data associated with the first VPN connection and sends the session identification data to the second device over the first VPN. The second device receives the session identification data and stores it. The second device determines when the first VPN connection has been disrupted. The second device then selects a second communication protocol and initiates a second VPN connection using the second communication protocol with the first device. The second device transmits the session identification data to the first device, and the first device associates the second VPN connection with the first VPN connection using session identification data.

Abstract: Techniques are provided for transmitting data securely across virtual private network (VPN) connections. A first VPN connection is initiated between a first device and a second device. The second device selects a first communication protocol to be used for the first VPN connection with the first device. The first device generates session identification data associated with the first VPN connection and sends the session identification data to the second device over the first VPN. The second device receives the session identification data and stores it. The second device determines when the first VPN connection has been disrupted. The second device then selects a second communication protocol and initiates a second VPN connection using the second communication protocol with the first device. The second device transmits the session identification data to the first device, and the first device associates the second VPN connection with the first VPN connection using session identification data.

Abstract: A method, and computer program product for providing dynamically tunneling over an unreliable protocol or a reliable protocol based on network conditions is presented. A connection between a source device and a destination device is established using a reliable protocol. An attempt is then made to utilize an unreliable protocol to communicate between the source device and the destination device. When the attempt to utilize an unreliable protocol is successful, then the unreliable protocol is used to transmit data between the source device and the destination device. When the attempt to utilize the unreliable protocol is unsuccessful, then the reliable protocol connection is used to transmit data between the source device and the destination device.